In-brief: As of May 2017, Kaspersky Lab researchers have observed more than 7,200 different samples of malware for IoT devices in honeypot activity—more than double the number from last year–demonstrating that IoT devices are becoming increasingly vulnerable on a number of fronts, including passwords, firmware, and telnet/SSH ports.
Bad news for anyone who thinks connected devices in the Internet of Things (IoT) are any more secure than they were last year. They’re not—and remain under threat of consistent and increasing attack from various types of malware, according to researchers from Kaspersky Lab.
Researchers from Kaspersky set up a number of honeypots imitating various IoT devices running Linux and left them connected to the Internet to see what happened. What they found that was in seconds, potential hackers attempted connections to the open telnet port, with tens of thousands attempted connections from unique IP addresses clocked over a 24-hour period.
The findings are certainly worrying given the sheer numbers of devices that have now come online as part of the somewhat nebulous and fast-growing Internet of Things, which is populating the globe with devices that are connecting via insecure wireless protocols.
“According to Gartner, there are currently over 6 billion IoT devices on the planet,” Kaspersky security analysts Vladimir Kuskov, Mikhail Kuzin, Yaroslav Shmelev, Denis Makrushin and Igor Grachev noted in a SecureList blog post reporting their findings. “Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals.”
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The connection attempts were observed in honeypot activity between January and April 2017, researchers said. By way of comparison, in 2016 Kaspersky researchers observed a mere 3,219 instances of malware for IoT devices, which means these types of threats have more than doubled since last year.
The majority of the attempted connections used the telnet protocol, while the rest used SSH, according to researchers. More than half–or 63 percent–of the attempted attacks came from IP addresses that were linked to DVR services or IP cameras. Twenty percent of the connections originated with network devices and routers.
Researchers also took note of the diverse geographies from which the attempted connections came, as well as which days of the week were more likely to see attack activity. The majority of the attempted attacks came from Vietnam, followed by Taiwan, Brazil, Turkey, Republic of Korea, India, the United States, Russia, China and Romania.
Monday was the most popular day for attack activity, with it tapering off slightly in the middle of the week to rise again on the weekend. However, researchers could see no rhyme or reason for this pattern. “It appears Monday is a difficult day for cybercriminals too,” they wrote. “We couldn’t find any other explanation for this peculiar behavior.”
There are a number of key and as-yet unsolved security issues that allow for such rampant attack on IoT devices, researchers said. Firmware is of top concern, as device manufacturers are slow to release firmware updates for smart devices in best-case scenarios, they said. “In the worst case, firmware doesn’t get updated at all, and many devices don’t even have the ability to install firmware updates,” researchers wrote. This leaves devices with a number of loopholes and vulnerabilities for hackers to exploit.
IoT devices also are inherently insecure because often their telnet and/or SSH ports are available to the outside world.
And passwords continue to be a problem and an easy way for hackers to gain access, as device manufacturers still set preconfigured passwords for entire product ranges. “This situation has existed for so long that the login/password combinations can easily be found on the Internet–something that cybercriminals actively exploit,” researchers wrote.
Consequences for end users if their IoT devices are accessed by bad actors range from barely noticeable to dire, depending on who hackers target, the Kaspersky team said.
“The most common scenario is your device ending up as part of a botnet,” researchers wrote. “This scenario is perhaps the most innocuous for its owner; the other scenarios are more dangerous. For example, your home network devices could be used to perform illegal activities, or a cybercriminal who has gained access to an IoT device could spy on and later blackmail its owner–we have already heard of such things happening.”
An IoT device end user also could end up with merely a busted device, although this, according to researchers, is one of the better-case scenarios.
Researchers offered some words of wisdom that seem fairly obvious to anyone familiar with Internet technology to help IoT device owners protect their connected devices. They advised them to deny access to devices outside the local network, unless it’s specifically needed to use the device, as well as to disable all network services that aren’t needed for use.
In terms of protecting passwords, Kaspersky researchers advised to disable network services or access to them if a device has a preconfigured or default password or a preconfigured account that can’t be deactivated. If this is not the case, they recommend changing default passwords and setting new, strong ones. The team also recommended that people regularly update the firmware of IoT devices to the latest version to get the best and most current security for them.